Updated It is possible to hijack and manipulate Cellebrite's phone-probing software tools by placing a specially crafted file on your handset, it is claimed.
Signal app supremo Moxie Marlinspike said in an advisory on Wednesday that he managed to get his hands on some of Cellebrite's gear, which is typically used by cops, government agents, big biz, and authoritarian regimes to forcibly access the contents of physically seized smartphones.
Thought the FBI were the only ones able to unlock encrypted phones? Pretty much every US cop can get the job doneREAD MORE
Once a device is unlocked by Cellebrite's UFED software, its files and applications can be examined using a Cellebrite program called Physical Analyzer running on a Windows PC.
Marlinspike claims this software collection does a poor job of protecting itself when parsing malicious data extracted from handsets, to the point where it's possible for an innocent-looking file to inject and execute arbitrary code on the host PC.
That code can then modify the analyzer's operation, manipulate forensics reports, and so on. Essentially, you can turn the tables on whoever's probing the phone and hamper their investigation. Here's how Marlinspike put it:
For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.
Any app could contain such a file, and until Cellebrite is able to accurately repair all vulnerabilities in its software with extremely high confidence, the only remedy a Cellebrite user has is to not scan devices.
Proof-of-concept exploits have been developed for UFED and Physical Analyzer to prove this, we're told. Signal's creator went on to say he'll disclose the holes he's found when Cellebrite discloses the vulnerabilities it exploits to forcibly unlock confiscated handhelds.
In a video, he demonstrated an arbitrary-code-execution exploit against what appears to be version 126.96.36.199 of UFED; the latest version, we note, is 7.44, which was released early this month. The Register understands these proof-of-concept exploits work against the latest builds of Cellebrite's tools.
The main problem, according to Marlinspike, is that Cellebrite's suite includes software libraries – such as FFmpeg DLLs – that haven't been updated in years to patch known exploitable bugs, "industry-standard exploit mitigation defenses are missing," and "many opportunities for exploitation are present."
Finally, and seemingly as a result of all this, Marlinspike strongly hinted that future versions of Signal may include files that mess up Cellebrite's software:
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage ... We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.
This all comes after Cellebrite announced it had updated Physical Analyzer to parse the file formats used by Signal on unlocked devices. A spokesperson for Israel-headquartered Cellebrite was not available for immediate comment on Marlinspike's findings. ®
Updated to add
A spokeswoman for Cellebrite declined to comment specifically on Marlinspike's discoveries, and instead insisted the biz keeps its software patched:
Cellebrite is committed to protecting the integrity of our customers’ data, and we continually audit and update our software in order to equip our customers with the best digital intelligence solutions available.
On the subject of who uses the software, she added: "We have strict licensing policies that govern how customers are permitted to use our technology and do not sell to countries under sanction by the US, Israel or the broader international community."
PS: If you want to know more about the insides of Cellebrite's software, KoreLogic has a write-up here from last year.